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Abstract:  A particular  protection  mechanism  from  the  protection 

literature  — the  take  and  grant  system  --  Is  presented.  For  this  particu- 
lar mechanism  It  Is  shown  that  the  safety  problem  can  be  solved  In  linear 
time.  Moreover,  the  security  policies  that  are  enforceable  by  this 
mechanism  are  then  characterized. 
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I.  Introduction 


The  theoretical  analysis  of  systems  for  protecting  the  security  of 
information  should  be  of  interest  to  the  practitioner  as  well  as  the 
theoretician.  The  practitioner  must  convince  users  that  the  integrity  of 
their  programs  and  files  is  maintained,  i.e.  he  must  convince  them  that  the 
operating  system  and  its  mechanisms  will  correctly  protect  these  programs 
and  files.  Vague  or  informal  arguments  are  unacceptable  since  they  are 
often  wrong.  Indeed  the  folklore  is  replete  with  stories  of  "secure" 
systems  being  compromised  in  a matter  of  hours. 

A primary  reason  for  the  abundance  of  these  incidents  is  that  even 
a small  set  of  apparently  simple  protection  primitives  can  often  lead  to 
complex  systems  that  can  be  exploited,  and  therefore  compromised,  by  some 
adversary.  But  it  is  precisely  this  fact,  simple  primitives  with  complex 
behavior,  that  lures  the  theoretician.  Our  purpose  here  is  to  present  a 
concrete  example  of  a protection  system  and  then  to  completely  analyze  its 
behavior. 

Our  motivation  for  doing  this  analysis  is  two  fold.  The  protection 
system  that  we  will  study  is  not  one  we  invented,  rather  It  appears  for 
example  in  Cohen  [1}.  Moreover  it  is  closely  related  to  systems  studied 
in  Denning  and  Graham  [2]  and  Jones  [4].  This  point  is  most  important, 
for  the  space  of  possible  protection  systems  is  exceedingly  rich  and  it  is 
trivial  to  think  up  arbitrary  systems  to  study.  We  are  not  interested  in 
arbitrary  systems,  but  in  systems  that  have  practical  application. 

The  above  motivation  is  necessary  but  not  sufficient  for  us  to 
establish  that  these  questions  should  interest  the  theoretician.  Our 


second  reason  for  studying  these  problems  Is  that  In  a natural  way  they 
can  be  viewed  as  "generalizations  of  transitive  closure."  Informally,  our 


Given : A directed  labeled  graph  G and  a set  of  rewriting  rules  R 


Determine:  Whether  or  not  there  is  a sequence  of  graphs  G. , G 


G such  that  G - G_ , G has  property  X,  and  G 


follows 


Here  property  X encodes  that  there  is  a protection  violation  in  G . Our 


goal  then  is  to  determine  whether  or  not  such  a G can  be  reached,  l.e 


determine  if  a protection  violation  is  possible 


Property  X is  frequently  stated  as 


X:  there  is  an  edge  from  vertex  p to  q with  label  a. 

This  property  looks  very  much  like  a transitive  closure  question.  Indeed 
if  the  rules  R only  allowed  the  addition  of  arcs,  then  these  problems  would 
be  easily  solved  by  known  methods.  They  are  not  so  simple.  The  rules  of 
interest  to  those  in  protection,  and  the  particular  rules  we  will  study, 
allow  new  vertices  to  be  added.  This  simple  change  of  allowing  graphs  to 
"grow  new  vertices"  makes  the  problem  challenging.  Indeed  the  particular 
model  we  will  study  is  no  longer  even  obviously  decidable. 


Let  us  now  make  the  above  concrete  by  introducing  the  particular 
protection  system  we  will  study.  Ke  consider  directed  graphs  whose  arcs 
are  labeled  with  an  r or  i tf  or  a a. , While  we  will  manipulate  these  graphs 
as  formal  objects  it  is  helpful  to  keep  in  mind  the  following  Informal 
semantics:  A vertex  corresponds  to  a uaer,  r ■ read , w m write,  o m call. 

If  there  is  a directed  arc  from  x to  y with  label  r (respectively  w,  e). 
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then  x can  read  y (respectively  write,  call).  For  example,  in  the  graph 


x can  write  y,  x can  read  z,  but  y cannot  write  z 61nce:bhls  edge'ls  missing. 

I ;'’>V 

More  formally,  a protection  graph  is  a finite,  directed,  loop-free  graph 
with  each  arc  labeled  by  a nonempty  subset  of  {r,w,a} . We  Interpret  the 
case  where  an  arc  is  labeled  with  other  than  a single  element  to  mean  that 

I multiple  "rights"  are  allowed. 

This  protection  model,  called  the  take  and  grant  system,  is  now  com- 
pleted by  presenting  five  rewriting  rules. 

3.  Take:  Let  x,  y,  and  z be  three  distinct  vertices  in  a protection 

graph  and  let  there  be  an  arc  from  x to  y with  label  y such 
that  re  y and  an  arc  from  y to  z with  some  label  a £ lr,w,c). 
Then  the  take  rule  allows  one  to  add  the  arc  from  x to  z with 
label  a yielding  a new  graph  G'.  Intuitively  x takes  the  abil- 
ity to  do  a to  z from  y.  We  will  represent*  this  rule  by 


2.  Grant:  Let  x,  y and  z be  distinct  vertices  In  a protection  graph  G 

and  let  there  be  an  arc  from  x to  y with  label  y such  that 
W c y and  an  arc  from  x to  z with  label  y £ {rtwfc}.  Then  the 
grant  rule  allows  one  to  add  an  arc  from  y to  z with  label  a 
yielding  a new  graph  G'.  Intuitively  x grants  y the  ability  to 
do  a to  z.  In  our  representation 


3.  Create:  Let  x be  any  vertex  in  a protection  graph,  then  create  allows 

one  to  add  a new  vertex  n and  an  arc  from  x to  n with  label 
{r3t),c } yielding  a new  graph  G'.  Intuitively  x creates  a 
new  user  that  it  can  readt  write  and  call.  In  our  representa- 


r.w.c 


4.  Call:  Let  x,  y and  z be  distinct  vertices  in  a protection  graph  G 

and  let  a £ { rtwto } be  the  label  on  an  arc  from  z to  y and 
y the  label  on  an  arc  from  x to  z such  that  a € y.  Then  the 
call  rule  allows  one  to  add  a new  vertex  n,  an  arc  from  n to  y 
with  label  a,  and  an  arc  from  n to  z with  label  r yielding  a 
new  graph  G'.  Intuitively  x is  calling  a program  z and  passing 
parameters  y.  The  "process"  is  created  to  effect  the  call:  n 
can  read  the  program  z and  can  a the  parameters.  In  our 
representation 
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n 


5.  Hemove:  Let  x and  y be  distinct  vertices  ir.  a protection  graph  G with 

an  arc  from  x to  y with  label  a.  Then  the  remove  rule  allows 
one  to  remove  the  arc  from  x to  y yielding  a new  graph  G'. 
Intuitively  x removes  its  rights  to  y.  In  our  representation 

x y x y 

• — *•  =>  • ■ • 

The  remove  rule  is  defined  mainly  for  completeness,  since  protection 
systems  tend  to  have  such  a rule.  Moreover,  we  expect  to  study  properties 
of  protection  systems  other  than  protection  violations  which  will  use  re- 
move in  a crucial  way.  But,  for  the  present  remove  may  be  ignored. 

The  operation  of  applying  one  of  the  rules  to  a protection  graph  G 
yielding  a new  protection  graph  G'  is  written  G |— G'.  As  usual  G |—  G' 
denotes  the  reflexive,  transitive  closure  of  [— . 

An  important  technical  point  is  this  system  is  monotone  in  the  sense 
that  if  a rule  can  be  applied,  then  adding  arcs  cannot  change  this.  The 
monotone  property  is  crucial  later. 

How  that  we  have  seen  the  rules,  let  us  look  at  their  behavior.  We 
will  start  with  a simple  question:  in  the  graph 
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is  it  possible  for  y to  read  z?  The  answer  is  obviously  no  since  there  is 
no  read  arc  from  y to  z.  But  we  are  really  asking:  ie  there  a sequence  of 

rule  applications  that  leads  to  a graph  with  a read  arc  from  y to  it?  More 
generally,  say  p can  a q if  there  is  a sequence  of  rule  applications  that 
leads  to  a graph  with  an  a arc  from  p to  q.  Then  to  state  our  question 
more  precisely,  we  ask:  is  it  true  that  y can  read  z?  Clearly,  without 

create,  the  answer  is  no  since  none  of  the  operations  take,  grant,  or  call 

can  apply.  The  following  sequence  of  applications  of  the  rules*  shows  that 
by  using  create  the  answer  is  yes: 


r z 


y creates 


r z 


rtwtc 


*In  the  diagrams,  dashed  lines  are  used  only  as  a visual  aid  to  set  off 
the  added  arcs  of  the  current  operation. 
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This  example  demonstrates  the  kind  of  graph-theoretic  problems  we  will  be 
studying.  Our  main  theorem  is  stated  in  the  next  section.  This  theorem 
presents  a complete  answer  to  the  question:  is  it  true  that  p can  a q? 

Indeed  this  theorem  leads  easily  to  a linear  time  algorithm  for  answering 
the  question. 

A final  word  about  how  this  theorem  contributes  to  our  understanding 
of  protection.  Each  user  of  a protection  system  needs  to  know: 
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what  information  of  mine  can  be  accessed  by  others ; 
what  information  of  others  can  be  accessed  by  me? 

The  question  is  vague  in  general,  but  here  it  is  rendered  in  the  simple 
question:  is  it  true  that  p can  a q? 

The  types  of  protection  models  studied  here  have  received  considerable 
attention  recently.  Our  approach  is  related  closely  to  the  interesting 
work  of  Harrison,  Ruzzo,  and  Ullman  [3j.  They  show  that  what  can  be  called 
the  "uniform  safety  problem"  is  undecidable.  Interpreted  as  a graph  model, 
their  result  says  that  given  an  arbitrary  set  of  rules  (similar  in  spirit 
to  take,  grant,  etc.)  and  an  initial  graph,  it  is  undecidable  whether  or  not 
there  will  ever  be  an  arc  from  p to  q with  label  a.  This  is  a uniform 
problem  in  the  sense  that  the  rules  are  arbitrary.  Even  when  the  rules 
have  to  satisfy  certain  additional  constraints  the  results  of  [3]  and  the 
results  of  Lipton  and  Snyder  [6]  show  that  protection  is  impracticably 
complex. 

Our  view  here  is  that  since  the  uniform  protection  problem  is  so 
difficult  and  since  operating  systems  usually  require  only  one  fixed  set 
of  protection  rules,  then  the  nonuniform  problem  should  be  studied.  As 
6tated  before  we  chose  the  particular  take  and  grant  system  by  studying  the 
protection  literature. 
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II.  Basic  Results 

Our  objective  Is  to  show  that  there  are  two  simple  conditions  that 
are  necessary  and  sufficient  to  determine  if  vertex  p can  a vertex  q.  Let 
G be  a protection  graph  and  a e {r,w, a).  Call  p and  q connected  if  there 
exists  a path  between  p and  q independent  of  the  directionality  or  labels 
of  the  arcs.  Define  the  predicates: 

Condition  1:  p and  q are  connected  in  G. 

Condition  2:  there  exists  a vertex  x in  G and  an  arc  from  x to  q with 

label  B such  that 

a - r implies  lr,c)  n 6 * 0,  or 
a - w implies  w e 0,  or 
a m a implies  e e 0. 

Informally,  these  conditions  will  state  that  p can  a q if  and  only  if  there 
is  an  undirected  path  between  p and  q (condition  1)  and  some  vertex  x o's 
q (condition  2). 

The  first  step  is  to  demonstrate  the  necessity  of  conditions  (1)  and 

(2). 


herrtna  1 : If  G is  a protection  graph  with  vertices  p and  q and  a is  a 

label,  then  p can  a q implies  (1). 

1'roof:  Suppose  p can  a q and  assume  (1)  is  not  satisfied  in  Gfl G^. 

Then  (1)  is  not  satisfied  in  G^+^  since  no  rule  application  connects 
existing  vertices  not  already  connected.  Hence  p and  q are  not  connected 
in  Gr  contrary  to  the  assumption  that  p can  o q.  Therefore  (1)  must  be 
satisfied.  □ 
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Lema  2:  If  G is  a protection  graph  with  vertices  p and  q and  a is  a 

label,  then  p can  a q implies  (2). 

Proof:  If  p can  a q either  there  is  an  arc  labeled  a incoming  to  q in  G 

in  which  case  (2)  is  satisfied  or  else  there  is  no  incoming  arc  with  label 
a in  G0>  ....  Gi  and  G1+1  has  such  a labeled  arc.  Since  take  and  grant 
merely  copy  arcs,  G^  |—  did  not  occur  by  means  of  take  or  grant. 
Create  could  not  have  applied,  so  CA  |-  GJ+1  by  application  of  call.  But 
no  incoming  a can  be  created  that  didn't  previously  exist  as  an  incoming 
arc  satisfying  the  lemma.  Thus  the  arc  couldn't  be  added  and  P can  o q 
must  be  false  contradicting  our  original  assumption.  Hence  p can  a q 
implies  (2).  0 


To  simplify  matters  later  and  to  clear  up  an  apparent  anomaly  in 
condition  (2),  we  next  sh  ‘hat  if  a user  is  allowed  to  call  another 
user  then  he  is  allowed  to  read  him  as  well.  It  is  this  fact  that  allows 
us  to  write  {rtc)  n B * 0 in  condition  (2)  rather  than  Just  re  B. 

Lema  3:  In  a protection  graph  G,  x • — — *•  y implies  x • r jg»m  y. 

Proof:  Apply  the  following  rules: 


x g- 


x create 


xe 2 


rtwtc 


- ■ 


lx  call 


flagrant 


r,w,  a 


r,w,c 


|x  take 


\r,w>c 


r r 


We  next  prove  a key  lease  that  ahows  that  the  directionality  and 
labels  along  a connected  path  are  unimportant.  Call  vertices  p and  q of 
a protection  graph  directly  connected  if  there  is  an  arc  between  them 
independent  of  the  directionality. 


<-  1 1 
y 


NHI 


MMSK< 


Lemma  4:  Let  p,  q and  x be  distinct  vertices  In  a protection  graph,  let 
there  be  an  arc  from  x to  q with  label  a and  let  p and  x be  directly 
connected.  Then  p can  a q. 

Proof:  By  monotoniclty,  there  are  only  six  distinct  cases. 


Lerma  5:  Let  p,  q and  x be  distinct  vertices  in  a protection  graph  such 

that  p is  directly  connected  to  q and  there  is  an  arc  from  x to  q with  label 
Y such  that  {r,e}  n y * t.  Then  p can  read  q. 

Proof:  By  lensna  3 we  can  assume  that  y ■ r.  Then  we  apply  the  following 

rules: 


|q  create 


« 

r,t),e  ( 


|x  take 


rtv,c  o>' 

<> 

/ 


\ 

1 

i 

l 


[xgrants 


— — 


lil—l.  II 


i 


By  application  of  lemma  3 (on  the  path  p,  qt  n)  we  can  realize 
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Lemma  6:  Let  p,  q and  x be  distinct  vertices  in  a protection  graph  such 

that  p is  directly  connected  to  q and  there  is  an  arc  from  x to  q with  label 
y such  that  w c y.  Then  p can  write  q. 

Proof:  We  apply  the  following  rules: 


Lemma  7:  Let  pt  q and  x be  distinct  vertices  In  a protection  graph  such 

that  p Is  directly  connected  to  q and  there  is  an  arc  from  x to  q with  label 
Y such  that  e t y.  Then  p can  oall  q. 


Proof:  Apply  the  following  rulaat 


By  lenma  4 (along  path  q,  x,  n^)  we  can  realize 


By  a second  application  of  lemma  4 (along  path  p,q,n.)  ve  get 
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then 


p takes 


Theorem : Let  p and  q be  distinct  vertices  In  a protection  graph  and  a a 

label.  Conditions  (1)  and  (2)  are  necessary  and  sufficient  to  imply  p can 
o q. 


Proof:  Lemma  1 and  lemma  2 demonstrate  necessity  so  we  proceed  by  induction 

to  show  sufficiency.  Let  p • x ,x  x, ,x.  - q be  the  vertices  on  a 

n n-i  l o 

connected  path. 

(Basis)  For  n*l,  there  are  two  possibilities.  The  x guaranteed  by  condition 
(2)  either  coincides  with  x^  ■ p in  which  case  the  sufficiency  is  immediately 
true  or  else  x and  are  distinct.  By  lemmas  5,  6 and  7,  p can  a q. 
(Induction)  Suppose  the  theorem  Is  true  for  nil  and  p “ xn+i  an<*  xn+l  *8 
directly  connected  to  xr.  By  hypothesis  xr  can  a q,  and  by  lemma  4 this 
implies  x^+1  can  a q.  0 
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Corollary  1:  There  is  an  algorithm  for  deciding  if  p can  a q that  operates 

in  linear  time  in  the  size  of  the  protection  graph. 

Proof:  To  verify  condition  (1)  apply  any  standard  connectivity  algorithm. 

Verifying  condition  (2)  requires  no  more  time  than  scanning  the  in  arcs 
to  vertex  q. 

An  obvious  consequence  of  the  constructions  of  this  section  is  that  it  is 
simple  to  acquire  the  right  to  a given  object  if  it  can  be  acquired. 


Corollary  2:  If  p can  a q then  there  exists  a sequence  of  takes,  grants 

and  creates  containing  m terms  that  places  an  arc  from  p to  q with 
label  a.  Moreover,  m is  linear  in  the  length  of  any  path  between  p and  q. 
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III.  Discussion 

The  consequence  of  our  main  theorem  Is  that  we  can  precisely  state 
the  protection  policy  for  this  take-grant  system. 

Policy:  If  p can  read  (write)  (call)  q then  any  user  In  the  connected 

component  containing  p and  q can  attain  the  right  to  read 
(write)  (read  and  call)  q. 

This  policy  may  appear  to  be  more  undiscriminating  than  one  might  have  ex- 
pected. A primary  reason  for  this  is  that  our  take-grant  system  treats 
all  elements  of  the  system  the  same  whereas  most  protection  models  [3] 
recognize  two  different  entities:  subjects  and  objects.  If  we  dichotomize 

the  vertices  of  our  model  into  subject  and  object  sets  and  require  (as  is 
usually  the  case)  that  only  subjects  can  initiate  the  application  of  our 
rules,*  then  the  system  becomes  much  more  difficult  to  analyze.  Such  an 
analysis  has  recently  been  completed  and  appears  in  Jones,  Lipton,  Snyder  [5]. 

It  should  be  noted  that  in  the  dichotomized  model  there  are  protection  graphs 
that  satisfy  conditions  (1)  and  (2)  such  that  p can  a q is  false. 

In  addition  to  completing  the  subject /object  analysis,  there  are 
other  problems  to  be  studied.  Por  example  consider  a protection  graph  G 
where  there  is  an  arc  from  vertex  x to  vertex  q with  label  t where  l is  a 
new  type  of  label.  We  then  wish  to  know  if  p can  ( q,  i.e.  if  there  is  a 
series  of  takes,  grants,  creates,  and  calls  that  leads  to  a graph  with  an  arc 

*The  restriction  that  only  subjects  can  initiate  protection  rules  is 
enforced  by  requiring  the  x vertex  in  our  rule  definitions  to  be  a subject 
and  all  other  vertices  may  be  either  subjects  or  objects. 
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from  p to  q with  label  l.  The  key  to  this 
can  be  taken  and  granted  it  has  no  special 
label  t is  simply  something  that  is  passed 
graph  such  as 


P « q 

shows  that  our  theorem  is  no  longer  true  under  these  new  assumptions. 

Another  way  to  modify  our  system  is  to  control  the  amount  of 
cooperation  necessary  to  obtain  a particular  right.  With  each  rule  appli- 
cation the  vertex  that  is  denoted  x in  our  definitions  will  be  called  a 
conspirator. 

Thus  in 


problem  is  that  while  label  l 
role(s)  as  r,w  and  c do.  The 
around,  and  that  is  all.  A 


x *-^7^ 


x is  a conspirator.  Then  an  Interesting  question  is  if  p can  a q can  it  do 
ao  with  at  most  m conspirators.  One  might  then  hope  to  attach  some  kind 
of  likelihoods  in  a precise  way  to  whether  or  not  a system  is  secure. 

In  general  there  are  many  other  problems  to  be  studied.  All  of 
these  problems  are  in  a sense  generalizations  of  transitive  closure.  The 
key  and  most  Important  aspect  of  this  generalization  is  that  the  most 


■ 


■BMi 


Interesting  rules  allow  "growth,"  l.e.  the  addition  of  new  vertices.  It 
appears  that  understanding  the  structure  of  such  problems  is  Interesting 
beyond  its  application  to  the  study  of  protection  models. 


Acknowledgement : We  gratefully  acknowledge  the  help  of  our  colleague 

Anita  K.  Jones  for  her  role  in  developing  this  modeli  end  the  careful 


comments  of  a referee. 


References 


1.  E.  Cohen. 

Ph.D.  Thesis  (in  progress),  Carnegle-Mellon  University,  1976. 

2.  P.  J.  Denning  and  G.  S.  Graham. 

Protection  principles  and  practice. 

AFIPS  Conference  Proceedings  40:417-429,  1972. 

3.  H.  A.  Harrison,  W.  L.  Ruzzo,  and  J.  D.  Ullman. 

On  protection  in  operating  systems. 

Proceedings  of  the  5th  annual  S1G0PS  Conference,  1975. 

4.  A.  K.  Jones. 

Protection  in  programmed  systems. 

Ph.D.  Thesis,  Carnegio-Mellon  University,  1973. 

5.  A.  K.  Jones,  R.  J.  I.ipton  arid  L.  Snyder. 

A linear  time  algorithm  for  deciding  subject-object  security. 
Proc.  of  17th  Annual  FOCS  Conference,  Houston,  1976. 

6.  R.  J.  Llpton  and  L.  Snyder. 

Synchronization  and  security. 

In  preperation,  1976. 


